News Items

SRL researchers built eight so-called "Smart Spies" and put them into app stores. SRL researchers were able to sneak in spyware into the applications, because third-party developers can extend the capabilities of Amazon Alexa - the voice assistant running in its Echo smart speakers - and Google Home through small voice apps, called Skills on Alexa and Actions on Google Home. Those apps they created currently create privacy issues, in that they can be abused to eavesdrop on users or to ask for their passwords. Some of the apps created kept the smart speaker listening after one thought it had gone deaf, and another app they created lied to users about there being an update they needed to install. The application would then vish (voice-phish) away the password the user supposedly needed to speak, so they can get that bogus install. Amazon and Google have been informed of the exploits and have since blocked the spying, phishing apps, and have fixed the exploits.

Naked Security reports: "Alexa and Google Home Phishing Apps Demonstrated by Researchers"

The Operational Technology Cyber Security Alliance (OTCSA) is a new global alliance aimed at improving the security of OT used in critical and industrial infrastructure. OT refers to the hardware and software used to detect or make changes by monitoring and controlling industrial devices. Cyberattacks on this technology could damage productivity, cause ecological disasters, and endanger public safety. The OTCSA will take on a multi-pronged approach to reducing the risk of cyberattacks, which includes bolstering the cyber-physical risk posture of OT environments, providing guidance to OT operators on how to maintain the security of their OT infrastructure, and supporting the implementation of critical infrastructure with a higher level of security. This article continues to discuss the OTCSA's mission, approach, and members.

Infosecurity Magazine reports "New Alliance Aims to Scupper Cyber-attacks on Operational Technology"

Smart bulbs are expected to be among the most popular gifts this holiday season. However, smart bulbs could have security vulnerabilities that could be exploited by hackers to steal users' personal information. Therefore, researchers at the University of Texas at San Antonio conducted a study on the security vulnerabilities contained by popular smart light bulb brands. According to Murtuza Jadliwala, professor and director of the Science, Privacy, Trust and Ethics in Computing Research Lab in UTSA's Department of Computer Science, smart bulbs have infrared capabilities that could be abused by hackers steal data or spoof other Internet of Things (IoT) devices on the network to which the bulbs are connected. The infrared invisible light produced by the smart bulbs can be used by hackers to send commands that could result in the performance of these malicious activities. This article continues to discuss the increased popularity of smart bulbs, how hackers could use these bulbs to steal information, and recommendations for avoiding such attacks on smart bulbs.

UTSA reports "UTSA Study Warns of Security Gaps in Smart Light Bulbs"

Two new cybersecurity bills, the Cybersecurity Disclosure Act of 2019 and the Mind Your Own Business Act (MYOB) of 2019, are expected to change the U.S. cybersecurity landscape if they become laws. The Cybersecurity Disclosure Act of 2019, proposed by Senator Jack Reed (D-RI), would require companies to disclose whether their board of directors has an adequate amount of cybersecurity expertise. The purpose of the Mind Your Own Business Act of 2019, introduced by Senator Ron Wyden (D-OR), is to strengthen the privacy of consumers by giving them more control over how their data is handled by organizations. The MYOB bill supports the sentencing of executives to prison for misusing Americans' data and lying about such practices to the government. This article continues to discuss the goals and requirements of the new cybersecurity bills, in addition to how the MYOB bill is stronger or weaker than the California Consumer Protection Act (CCPA).

Security Week reports "New Cybersecurity Bills Promote CISOs and Privacy"

The Center for Hardware and Embedded Systems Security and Trust is the National Science Foundation's new research center aimed at protecting electronics and networked systems from being hacked, damaged, and spied on, which will be led by the University of Cincinnati (UC). The National Science Foundation, the U.S. Department of Defense, and industry leaders will work with the center to do research focused on strengthening the security of products against cyberattacks. The center's academic partners include the University of Virginia, the University of Connecticut, the University of Texas at Dallas, the University of California, and Northeastern University. This article continues to discuss the mission, support, and partners of the Center for Hardware and Embedded Systems Security and Trust.

TechXplore reports "New Research Center Aims to Make Electronics More Secure"

Microsoft launched a bug bounty program for its open-source election software, called ElectionGuard, which is intended to improve the security, transparency, and accessibility of voting. The ElectionGuard is available as a software development kit (SDK). According to Jarek Stanley, a senior program manager at the Microsoft Security Response Center, the program invites security researchers, including full-time cybersecurity professionals, part-time hobbyists, and students, to find high impact vulnerabilities in the ElectionGuard SDK. Researchers are to share newly discovered vulnerabilities with Microsoft under the principle of Coordinated Vulnerability Disclosure. Microsoft's bug bounty program offers rewards, ranging from $500 to $15,000. This article continues to discuss the goals and scope of the ElectionGuard SDK and the bug bounty program launched for this product.

MeriTalk reports "Microsoft Launches Election Security Bug Bounty Program"

A new study conducted by researchers from the University of Cambridge and the University of Strathclyde explored the different ways in which law enforcement attempts to prevent young people from engaging in cybercrime to see how effective these methods are. According to the findings of this study, the removal of infrastructure and the launch of highly-targeted messaging campaigns by law enforcement are effective at reducing cyberattacks over a longer period of time as opposed to high-profile arrests and convictions of cybercriminals. Booter services refer to services offered by cybercriminals to those seeking to easily execute denial-of-service (DoS) attacks. These services are often used by gaming site users to attack each other. Researchers looked at how certain law enforcement interventions impacted the volume of DoS attacks. This article continues to discuss how the study was performed by researchers and what the results of this study suggest.

The University of Cambridge reports "Prevention Better Than Cure at Keeping Young Users From Getting Involved in Cybercrime"

Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, recently published proof-of-concept (PoC) code on GitHub for an Android zero-day vulnerability discovered by Google Project Zero security researchers. According to Hernandez, the PoC called Qu1ckR00t, can circumvent Discretionary Access Control (DAC) and Linux Capabilities (CAP). In addition, Security-Enhanced Linux (SELinux), Secure Computing Mode (SECCOMP), and Mandatary Access Control (MAC) can be disabled using the PoC. Attackers can use the PoC to gain full control of an Android device. This article continues to discuss the zero-day vulnerability and the PoC codes shared by researchers for this vulnerability.

ZDNet reports "Security Researcher Publishes Proof-Of-Concept Code for Recent Android Zero-Day"

In an effort to improve Facebook's security and privacy, the social media giant will enhance its bug bounty programs by allowing security researchers to actively search for vulnerabilities in third-party apps and websites that integrate with its platform. Instead of passively observing third-party apps and websites for vulnerabilities, security researchers will be able to test the apps and websites for security flaws. However, they must have permission from the third-party to do so. Allowing security researchers to take on a more active approach will result in the discovery of more vulnerabilities as they would be able to look at the different ways in which a third-party app could be exploited by attackers to abuse a user's data. In addition, those that discover rare security vulnerabilities will be rewarded with a $15,000 bonus. This article continues to discuss the expansion of Facebook's bug bounty programs.

CNET reports "Facebook's Bug Bounty Gets Bigger for Third-Party Apps"

The threat group known as Silent Librarian, TA407, or Cobalt Dickens, has been discovered to be using new tactics in an updated phishing campaign. Silent Librarian targets university students to steal student login credentials. According to researchers at Proofpoint, the group's recent campaign uses shortened URL links in phishing emails to make it increasingly difficult to detect the phishing attempt. These URLs redirect victims to revamped attacker-hosted landing pages that display university-specific banners, consisting of notifications about emergencies or the weather. This article continues to discuss the operations, new tactics, targets, and impact of the Silent Library threat group.

Threatpost reports "Silent Librarian Retools Phishing Emails to Hook Student Credentials"

The financially-motivated hacking group, FIN7, is back with new malicious tools. FIN7 hackers are known for targeting businesses, including fast-food restaurants, hotels, and casinos for the purpose of stealing payment data such as credit card numbers. They have installed customized malware on point-of-sale (PoS) machines and IT networks using spear-phishing techniques. According to researchers at FireEye, the hacking group is now deploying a new dropper, called Boostwrite, which is capable of circumventing detection by using valid certification. Boostwrite delivers a new payload, called Rdfsniffer, to interfere with remote administrative tools used to fix payment systems and PoS machines. This article continues to discuss the FIN7 hacking group in relation to its newly discovered malicious tools and techniques.

BankInfoSecurity reports "FIN7 Gang Returns With New Malicious Tools"

A team of researchers at Princeton University conducted studies on how adversaries can attack machine learning models. As the application of machine learning grows, it is important that we examine the different ways in which this technology can be exploited by attackers to develop countermeasures against them. The researchers demonstrated different adversarial machine learning attacks, which include data poisoning attacks, evasion attacks, and privacy attacks. Data poisoning attacks occur when an adversary inserts bad data into an AI system's training set. Evasion attacks refer to the manipulation of an input so that it appears normal to a human, but can be incorrectly classified by the machine learning model. Privacy attacks are performed when adversaries try to expose sensitive information using data learned by the machine learning model. This article continues to discuss the importance of exploring the vulnerabilities of machine learning technologies and the adversarial machine learning attacks demonstrated by researchers.

Princeton University reports "Protecting Smart Machines From Smart Attacks"

The Global Navigation Satellite System (GNSS) refers to satellite navigation systems that provide positioning, navigation, and timing (PNT) services with global coverage. If the GNSS suffered a major outage for one day, it would cost the U.S. an estimated $1 billion in damage as this system is relied upon for automation, efficiency, and safety. All of the ways in which the GNSS can be exploited by attackers must be further explored in order to improve the security of this system against attacks such as GPS spoofing. GPS spoofing occurs when an attacker interferes with legitimate GPS signals using a radio transmitter that is near a target. In the context of military combat, an adversary could execute GPS spoofing attacks to manipulate GPS receivers, which could lead to the hijacking of autonomous vehicles and robotic devices. This article continues to discuss the concept of GPS/GNSS spoofing, incidents of GPS spoofing, the different types of spoofing, and how receivers can be protected against spoofing attacks.

GPS World reports "How Do We Ensure GNSS Security Against Spoofing?"

In a new study, it has been discovered that the most serious blind spot during AI development is security. Nearly three-quarters (73%) of respondents in the study, indicated they don't check for security vulnerabilities during model building. More than half (59%) of organizations also don't consider fairness, bias or ethical issues during ML development. It was also found that privacy is similarly neglected, with only 35% checking for issues during model building and deployment. The majority (55%) of developers mitigate against unexpected outcomes or predictions, but this still leaves a large number who don't. Of the respondents, 16% don't check for any risks at all during development.

Help Net Security reports: "AI Development has Major Security, Privacy and Ethical Blind Spots"

The Iranian-linked hacking group that made more than 2,000 attempts to compromise email accounts associated with a U.S. presidential campaign, government officials, journalists, and prominent Iranians that live outside Iran, is also said to be targeting cybersecurity researchers. According to researchers at ClearSky Cyber Security, the group known as Charming Kitten, APT35, or Phosphorus, has been sending phishing emails to them. The hacking group also created a phishing website that appears to belong to ClearSky. In addition, the group built a fake web-mail page aimed at attacking ClearSky's clients. Such efforts have highlighted the extent to which cybercriminals may go to attack cybersecurity researchers when they try to expose hackers' operations. This article continues to discuss the attacks executed by the Iranian hacking group against cybersecurity researchers and other discoveries surrounding the group's latest activities.

CyberScoop reports "Group Said to Be Behind Attempted Campaign Hack Has Also Gone After Cybersecurity Researchers"

Efforts are being made by the U.S. National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) to bolster the security of the Industrial Internet of Things (IIoT) attached to the nation's power grid. Through a program, NCCoE seeks to develop a solution for strengthening IIoT in a distributed energy resource environment. The flow of data from distributed energy resources (DERs), including wind turbines and solar panels, must be secured as these resources increase the vulnerability of the grid to disruption by cyberattackers. This article continues to discuss the focus and goals of the program as well as the increase in DERs, how such resources are introducing more threats to the grid, and other efforts to defend the grid against cyberthreats.

NextGov reports "NIST is Hunting for Tech to Secure the Energy Sector's Network"

A zero-day flaw in iTunes for Windows and iCloud for Windows has been patched by Apple. The actual bug was contained by Bonjour, a component that comes with iTunes for Windows machines used to deliver updates and help services discover each other. According to researchers at Morphisec, the bug is an unquoted service path, which occurs when a file path to an executable service is not surrounded by quotation marks. The bug has been exploited by attackers to circumvent users' security defenses such as antivirus software and run BitPaymer ransomware, also known as IEncrypt. This article continues to discuss the zero-day flaw that was contained by the Bonjour updater in relation to what type of vulnerability it was, its exploitation by attackers to execute ransomware, and how it was addressed by Apple, in addition to the effectiveness of the exploit.

SC Media reports "BitPaymer Ransomware Attackers Exploit Apple Flaw to Bypass Detection"

A team of researchers at Penn State World Camp have developed an approach consisting of a combination of different techniques to bolster the security of Internet of Things (IoT) devices such a smart TVs, smart speakers, wearables, and home video cameras. According to one researcher, the number of IoT devices in operation will reach 20 billion by 2020, which increases the vulnerability of users to security breaches. The breach of IoT devices could pose a threat to the privacy and safety of users. The approach created by the researchers to identify attacks and maintain the security of IoT systems involves the use of statistical data, machine learning, intrusion detection tools, visualization tools, and more. This article continues to discuss the techniques and tools applied in the team's approach, as well as how this approach will help security professionals strengthen IoT device security.

EurekAlert! reports "Combination of Techniques Could Improve Security for IoT Devices"

Researchers at MIT and the University of California at San Diego (UCSD) have developed a new machine-learning (ML) system that can be used to prevent IP hacking incidents before they occur by identifying serial IP hijackers. IP hijacking is a type of cyberattack in which cybercriminals exploit a flaw in the routing protocol for the Internet, Border Gateway Protocol (BGP). Through the performance of a BGP hijack, nearby networks can be convinced that a malicious actor's network has the best path to reach a specific IP address. The researchers gathered information from network operator mailing lists and historical BGP data to identify the common traits and behaviors of serial hijackers. Using the collected information, researchers trained their system to identify those traits and behaviors, allowing IP hacking incidents to be predicted in advance. This article continues to discuss the concept of IP hijacking, the ML system developed to detect such attacks before they occur, and the identification of false positives.

MIT News report "Using Machine Learning to Hunt Down Cybercriminals"

Google and Mozilla plan to encrypt a fundamental element of the Internet, the Domain Name System (DNS). Security was not considered in the design of DNS, allowing hackers to abuse weaknesses and vulnerabilities in the Internet system through a variety of different attacks such as DNS hijacking. The increase in such attacks has prompted this push to encrypt DNS. Two different methods that apply web encryption to DNS requests, called DNS over HTTPS (DoH) and DNS over TLS (DoT), have already been codified by the Internet Engineering Task Force standards body. This article continues to discuss the concept of DNS, the insecurity of DNS requests, the two protocols aimed at encrypting these requests, and concerns surrounding the encryption of DNS requests among cybersecurity professionals.

Wired reports "A Controversial Plan to Encrypt More of the Internet"

A new Internet of Things (IoT) report released by consulting and research firm, Independent Security Evaluators (ISE), details the presence of IoT security vulnerabilities in 13 popular small office/home office (SOHO) routers and network-attached storage (NAS) devices. The study of these devices resulted in 125 CVEs (Common Vulnerabilities and Exposures). According to the report, all 13 devices that were examined in this research contained one or more web app vulnerabilities. The exploitation of these vulnerabilities could allow attackers to compromise additional network devices, obtain sensitive information transmitted via devices, disable networks, and more. This article continues to discuss key findings of the IoT security report, the impact IoT security vulnerabilities, how these IoT weaknesses can be eliminated, what improvements have been made in IoT security, and the need for IoT device manufacturers to prioritize security.

CPO Magazine reports "New Report Outlines IoT Security Vulnerabilities"

In a news study, it has been discovered that nearly a quarter (24%) of malicious URLs are found to be hosted on trusted domains. This is done, because hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. It was also discovered that 1 in 50 URLs (1.9%) were found to be malicious, which is high given that nearly a third (33%) of office workers click more than 25 work-related links per day. Nearly a third (29%) of detected phishing web pages use HTTPS as a method to trick users into believing they're on a trusted site via the padlock symbol. Phishing attempts grew rapidly, with a 400% increase in URLs discovered from January to July 2019. The top industries impersonated by phishing include: SaaS/Webmail providers (25%), financial institutions (19%), social media (16%), retail (14%), file hosting (11%), and payment services companies (8%).

Help Net Security reports: "Phishing Attempts Increase 400%, Many Malicious URLs Found on Trusted Domains"

A panel at the Black Hat USA 2019 conference highlighted the use of hacking skills for good as hacking is often perceived as bad. It was emphasized that white-hat hackers and IT security industry groups are applying their skills in a way that bolsters digital security for the public and private sector. Ethical hacking can lead to the discovery of security vulnerabilities in products and an increase in awareness about how these vulnerabilities can be exploited by malicious actors. This article continues to discuss the importance of ethical hackers, the Electronic Frontier Foundation, the introduction of new threats, and efforts to increase understanding surrounding these threats.

GCN reports "Hacking for the Public Good"

A researcher known as Wojciech used open source intelligence (OSINT) and a tool that he developed, called Kamerka, to demonstrate the ease at which adversaries can collect intelligence on U.S. critical infrastructure. Through the use of the Kamerka tool, Wojciech was able to discover 26,000 internet-exposed industrial control system (ICS) devices in the U.S. The tool also allowed Wojciech to determine the geographical locations of these industrial controls systems as well as the critical infrastructure targets that would be the most attractive to threat actors. Atlanta, Houston, Chicago, New York, Denver, and Philadelphia are the cities in which the highest percentage of these ICS devices were found. This article continues to discuss Kamerka's capabilities, the discovery of exposed ICS devices in the U.S., the vulnerabilities contained by such devices, and the potential use of OSINT by adversaries to perform reconnaissance on U.S. critical infrastructure.

Security Week reports "Researcher Shows How Adversaries Can Gather Intel on U.S. Critical Infrastructure"